CVE-2021-39178 HIGH

CVE-2021-39178: XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0

Vendor Vercel
Product next.js
Weakness CWE-79 · XSS
Published August 30, 2021
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.

Key dates

02Disclosure timeline

August 30, 2021 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-31806 WordPress Webling plugin <= 3.9.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-22789 WordPress polka dots theme <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-0555 Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard_actions' AJAX Endpoint CVE-2024-48036 WordPress SKT Blocks plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability CVE-2022-44473 AEM Reflected XSS Arbitrary code execution